Example 1 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class AsymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
try {
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
assertTokenWrapper(initiatorWrapper);
boolean attached = false;
if (initiatorWrapper != null) {
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
} else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
} else if (initiatorToken instanceof SamlToken && isRequestor()) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
storeAssertionAsSecurityToken(assertionWrapper);
}
} else if (initiatorToken instanceof SamlToken) {
String tokenId = getSAMLToken();
if (tokenId == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
}
}
assertToken(initiatorToken);
}
// Add timestamp
List<WSEncryptionPart> sigs = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
addSupportingTokens(sigs);
sigs.addAll(this.getSignedParts(null));
if (isRequestor() && initiatorWrapper != null) {
doSignature(initiatorWrapper, sigs, attached);
doEndorse();
} else if (!isRequestor()) {
// confirm sig
addSignatureConfirmation(sigs);
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigs, attached);
}
}
List<WSEncryptionPart> enc = getEncryptedParts();
// Check for signature protection
if (abinding.isEncryptSignature()) {
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
enc.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
// Do encryption
AbstractTokenWrapper encToken;
if (isRequestor()) {
enc.addAll(encryptedTokensList);
encToken = abinding.getRecipientEncryptionToken();
if (encToken == null) {
encToken = abinding.getRecipientToken();
}
} else {
encToken = abinding.getInitiatorEncryptionToken();
if (encToken == null) {
encToken = abinding.getInitiatorToken();
}
}
if (encToken != null) {
if (encToken.getToken() != null && !enc.isEmpty()) {
final WSSecBase encr;
if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
encr = doEncryptionDerived(encToken, enc);
} else {
String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
SecretKey symmetricKey = keyGen.generateKey();
encr = doEncryption(encToken, enc, false, symmetricKey);
}
encr.clean();
}
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Fault(org.apache.cxf.interceptor.Fault)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
WSSecBase(org.apache.wss4j.dom.message.WSSecBase)
SecretKey(javax.crypto.SecretKey)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)
KeyGenerator(javax.crypto.KeyGenerator)
Example 2 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class AbstractCommonBindingHandler method assertToken.
protected void assertToken(AbstractToken token) {
if (token == null) {
return;
}
assertPolicy(token.getName());
String namespace = token.getName().getNamespaceURI();
if (token.getDerivedKeys() != null) {
assertPolicy(new QName(namespace, token.getDerivedKeys().name()));
}
if (token instanceof X509Token) {
X509Token x509Token = (X509Token) token;
assertX509Token(x509Token);
} else if (token instanceof HttpsToken) {
HttpsToken httpsToken = (HttpsToken) token;
if (httpsToken.getAuthenticationType() != null) {
assertPolicy(new QName(namespace, httpsToken.getAuthenticationType().name()));
}
} else if (token instanceof KeyValueToken) {
KeyValueToken keyValueToken = (KeyValueToken) token;
if (keyValueToken.isRsaKeyValue()) {
assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
}
} else if (token instanceof UsernameToken) {
UsernameToken usernameToken = (UsernameToken) token;
assertUsernameToken(usernameToken);
} else if (token instanceof SecureConversationToken) {
SecureConversationToken scToken = (SecureConversationToken) token;
assertSecureConversationToken(scToken);
} else if (token instanceof SecurityContextToken) {
SecurityContextToken scToken = (SecurityContextToken) token;
assertSecurityContextToken(scToken);
} else if (token instanceof SpnegoContextToken) {
SpnegoContextToken scToken = (SpnegoContextToken) token;
assertSpnegoContextToken(scToken);
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
assertIssuedToken(issuedToken);
} else if (token instanceof KerberosToken) {
KerberosToken kerberosToken = (KerberosToken) token;
assertKerberosToken(kerberosToken);
} else if (token instanceof SamlToken) {
SamlToken samlToken = (SamlToken) token;
assertSamlToken(samlToken);
}
}
Also used :
HttpsToken(org.apache.wss4j.policy.model.HttpsToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
QName(javax.xml.namespace.QName)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
Example 3 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SamlTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(samlToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(samlToken, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
continue;
}
if (parameters.getSamlResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
String valSAMLSubjectConf = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, parameters.getMessage());
boolean validateSAMLSubjectConf = true;
if (valSAMLSubjectConf != null) {
validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
}
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : parameters.getSamlResults()) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
if (validateSAMLSubjectConf) {
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (parameters.getSoapBody() == null || !DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
}
*/
}
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Certificate(java.security.cert.Certificate)
Example 4 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SignedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed supporting token requirement");
continue;
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
Example 5 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class EndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Aggregations
SamlToken (org.apache.wss4j.policy.model.SamlToken)26
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)20
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)18
X509Token (org.apache.wss4j.policy.model.X509Token)14
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)13
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)13
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)13
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)13
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)12
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)11
Element (org.w3c.dom.Element)11
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)10
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)9
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)8
QName (javax.xml.namespace.QName)7
Fault (org.apache.cxf.interceptor.Fault)7
SOAPException (javax.xml.soap.SOAPException)6
TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)5
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)5
